Distribute Rego policies through Artifact Hub?

[lizrice]

Would it make sense for users to be able to obtain Tracee policies in Rego from Artifact Hub?

[itaysk]

Good point! We have #533 but it's not mature enough to be an actionable issue, so this can be a good place to discuss.

Definitely policies should be distributed out of band from the Tracee release lifecycle, and hosted and versioned outside of the release assets.
I think the other obvious options are hosted on GitHub (git) or setup a simple http server, both have their drawbacks and this Artifact Hub looks like a good option to explore.

[simar7]

Yes, Artifact Hub as a distribution channel makes sense for Rego based policies. However, I wonder if we have now two ways of distribution and if we really do need both. They being the following:

1. Github Releases of pre-built rules object files
2. Artifact Hub distribution of rego policies

I outline some pros & cons of the first approach here #533 (comment)

[itaysk]

yes that is a good point, that we have go and rego rules to consider. I'm not sure both should get the same treatment, but would be very nice if we could.

[itaysk]

more options to the mix:
OPA's bundles. these are simple zipped folders with the policies inside them, servable over HTTP. the benefit is that they are common in OPA world and can potentially contain any file. also they can be signed and verified.

another option is using an generic OCI registry. OPA/Conftest supports distributing rego file this way already. I'm actually surprised now that ArtifactHub isn't OCI as well.

we'll need to run some comparison and determine the best option for us